How to Fight off Identity Theft with Technology
After the recent news about security flaws with Java, and with tax season now in full swing, now is a great time to consider ways of enhancing cyber-security for our clients and ourselves.
I’m not going to rehash the basics like keeping operating systems and antivirus software patched and updated. That stuff should be almost automatic by now. Avoiding or outright disabling Java is also a no-brainer. No, I want to cover some of the other areas of cyber-security that aren’t discussed as much but deserve attention, beginning with wireless networking.
Network security is about access control. With a wired network, a physical barrier prevents access. Generally speaking, someone has to be inside your office to plug into a wired network. With a wireless network, however, especially one that broadcasts its name to every passing device, you’ve basically installed a network jack just outside your front door with a big neon sign advertising its existence.
Given enough time, all commercially available wireless networks can be hacked. If you expect to be the target of a direct attack by someone specifically targeting your data instead of looking for a random opportunity, don’t store sensitive information where it could be accessed via your wireless network. Data that’s not there can’t be stolen. Actually, if you expect to be the target of such an attack you shouldn’t have a wireless network at all.
If, like most of us, you’re really only worried about the casual hacker who lives or works next door and is probably just looking for a free Internet connection and any easily accessible information, changing one setting will make your wireless network less likely to be targeted. Turn off the SSID Broadcast in your wireless router. Whenever I pull out my smart phone in a public place, a list of nearby networks pops up, many of them proudly proclaiming the name of the company or person who owns them. Don’t be on that list. Disabling the broadcast feature means someone has to know the name of your network before connecting to it. Well, for the most part. People with special software can still see the network, but disabling SSID at least dims the lights on the neon sign a little. Check your wireless router manual for details on this relatively simple procedure.
The same logic applies to your Bluetooth enabled devices. Bluetooth is a kind of wireless network. The only time a Bluetooth device should be visible is when it’s being paired with another device. After that, lock it down. I prefer to turn Bluetooth off altogether unless it’s in use. That saves battery as well as worry.
Creating a strong wireless encryption key helps, too. The better your password, the longer someone has to sit within range of your network to crack it open. With a simple password and a lucky hacker, your network could be unlocked in minutes. Super-complex passwords could take days to crack because the hacker has to keep a computer in the network’s range, collecting network activity. Hopefully, your would-be thief will decide to move on to another network before wasting that much time decoding your password.
Wireless tips: Disable SSID broadcast, turn off Bluetooth visibility, and make your wireless keys long and complex.
Speaking of passwords, statistics say the password you’re most likely to use is “password,” or some variant of it or “abc123.” If either of those is your password, please go change it.
Seriously. You need to change it. I’ll wait.
The rules that force you to change a password every 90 days or require complex mixes of punctuation, letters, and numbers may seem like they were concocted by some overzealous IT manager, but there are good reasons for these practices. Complex passwords really do take longer to break than simple passwords. And changing a password forces someone who may be trying to crack it by systematically checking character combinations (this is called a brute force attack) to start again from scratch.
Complex passwords need not be something entirely new or unique as long as they’re not made of dictionary words or number sequences. My first complex password, years ago, was the serial number from the bottom of a mouse. It was always within reach and I managed to memorize it after a few weeks of use. Serial numbers, part of an old address, or even the first letter of each word in an album title can be combined for form a great password. Consider this: i0wcm-Z8!2940-yOsly. That’s the serial number from my old mouse, an address, and the first letter of each word in the title of Matchbox 20’s album “Yourself or Someone Like You,” along with two extra punctuation marks. The only way that password could be broken is with a brute force attack because those combinations of letters and numbers don’t form any words or patterns.
For considerable password help at the expense of a modicum of security, you might consider a password management system like 1Password. Not only will the program store passwords in a highly encrypted vault that can be synced across multiple devices, it can also create large, random, complex passwords for any purpose and store those passwords in the vault as well. Just remember to back up the vault and don’t use one of the random passwords for securing that backup. An editor at Wired recently wrote about being hacked and cut off from his vault. Since his backup was secured with a password that was stored within the vault, he had no way to get it back. The drawback to 1Password is that vault is locked by a single master access code. If someone gets the master code, that person has access to everything.
Password tips: Change passwords periodically. Use familiar or easily accessible information in an unusual way to create memorable but complex passwords. Try a password management program like 1Password.
Tablets and smart phones also have passwords and locks. Use them. A password won’t protect you from theft, and someone who really wants to get at the data may be able to find a way. But, for the most part, a device that’s locked has to be wiped before it can be pawned or sold. That’s exactly what we want! A phone or laptop might get stolen, but at least with a password lock we have some layer of protection from information theft. It’s better than leaving the information wide open.
Many smart phones will also wipe themselves of data if the wrong password is entered too many times. I cannot recommend this enough. Just make sure the data on your device is being backed up regularly. Also remember that even when locked, most, if not all, smart phones these days can still be used to dial emergency services.
Device tips: Enable passwords for all of your devices where sensitive data is stored. Enable the option to wipe your device after too many bad password attempts – just be sure to back up often.
What about the security of information you send via e-mail? In its trip from your computer to the destination computer, your e-mail is routed through at least one server. Every server where the e-mail is received and forwarded is a possible intrusion point where your information – or that of your clients – could be accessed. Who knows how long those servers store e-mails or who can see them?
At the very least, and if the option is available, send private documents in PDF format with password security enabled. Then either text, phone, or separately e-mail the password to the intended recipient. It’s not optimal, but it’s better than nothing.
For safer information sharing, SmartVault is a service that provides secure file storage and sharing via the cloud. You can set access rights for other users and make files available for secure download by specific individuals. This is useful in environments where private data needs to be accessed by multiple employees or shared with clients, all while maintaining security. Instead of e-mailing files around, bypassing all security, just load them into SmartVault.
Secure file sharing tips: Don’t send any private data unencrypted via e-mail. If you must use e-mail, attach private info as a password protected PDF and send the password separately. For ultimate security and file sharing possibilities, try SmartVault.
I can’t mention file security without discussing the importance of offsite backups. External hard drives are great, but are they encrypted? Not only does a local backup provide zero protection from floods and fires, but if the data isn’t encrypted that backup could be a major liability with regard to information theft.
SmartVault is great for keeping some client data safe and accessible. As a complete backup solution, though, it’s a little like renting retail space to store the old sofa and dinette set that you’ll someday pass along to the kids. You need something more like a self-storage locker to store whole hard drives. It’s not quite as easily accessible, but it’s a lot cheaper.
So where do you find a decent storeroom for your data? Try a service like CrashPlan or Mozy. They provide encrypted cloud storage and software to encrypt and send your data to their servers. Since the files are encrypted before they leave your computer, your data is useless to anyone who might see it on the remote server or in transit because you’re the only person with the decryption key.
While any encryption can be broken with enough time and processing power, this isn’t the same as cracking a network password or even breaking into a password-protected computer. Breaking into encrypted files, with the levels of security these commercial services use, is practically impossible. As long as you’ve made a strong password, the process would take billions upon billions of years with current computer technology.
I hope these tips help keep your private information safe and secure this tax season. While there is no 100% effective security solution, outside of not storing any data to begin with, we can mitigate some security concerns by taking a few simple steps, and taking advantage of widely available technology and software. Good luck.